MacKeeper Admin Rights Obtained via Executable Instructions in URL

MacKeeper is an all-on-one utility. The services it provides include: safe browsing, anti-virus, cleaning junk files, tracking your Mac if you happen to lose it or it gets stolen among others.
The program has been developed by the Ukraine-based company ZeoBIT and is currently distributed by Kromtech Alliance Corp. The companies claim that they have had over 20 million downloads for the program in the last five years.

There has been a real uproar, however, whether this is a legitimate and useful program. This is mainly because of its marketing and distribution tactics. It has been reported that there a great amount of fake reviews posted about the program. Also, for a time, it used to be advertised as another program. So users thought they were downloading one program and instead got MacKeeper.

Another thing that has been cleared out is that MacKeeper shows alerts even on fresh Macs. This is very suspicious. This is just to get users to purchase a license. Such tactics are very often used by unreliable software that does not provide any services at all, and only receives money from users.
As for the vulnerability itself, it was discovered by Brandon Thomas, a virtual security researcher. Later, BAE Systems reported that the very same vulnerability had been used by attackers.

The Attack Explained

First, users will receive a phishing email that contains a malicious link. If users do click on this URL, a dialogue box will appear that informs them that a malware attack is taking place. Sounds like MacKeeper is doing its job, right? However, the dialog box will also want you to enter a password. If you have not logged in with your MacKeeper, it will ask for a username, as well. Upon entering the password, you will be executing the malware with admin rights. Then, it will most likely start causing havoc on your system or target your sensitive information.

The vulnerability is a result of “a serious flaw in the way MacKeeper handles custom URLs that allows arbitrary commands to be run as root,” as SecureMac reports. This can allow arbitrary commands to be run as root. Basically, these custom URLs contain code that can mess with MacKeeper. This includes manipulating dialog boxes that appear.

MacKeeper’s Reaction

After the reveal of this vulnerability, MacKeeper have contacted Brandon Thomas for further information. Since then, they have released a short statement on their blog along with a new update that is supposed to fix the problem. Nonetheless, they did not disclose, how exactly this fix was handled.
Still, you should consider whether you want software such as MacKeeper on your system, considering its history and all.

Attacks such as this one are becoming a bigger concern in the industry. Arbitrary executable code that is delivered through the Web cannot be handled by the in-built tools of Windows, Linux, and OSX. Simon Crosby, CTO and co-founder of Bromium, argues that “The only way forward is to eliminate vectors of attack by isol.